[lug] cgi shell

Sean Reifschneider jafo at tummy.com
Tue Feb 4 13:04:53 MST 2003


On Mon, Feb 03, 2003 at 04:23:02PM -0700, jd wrote:
>so i downloaded it and tried it...pretty scary, it allowed me
>to get to / and go where ever I wanted. Is there a way to

What's so scary about that?  If you allow your users to install their
own CGIs, then they've always had the ability to do this sort of thing,
wether using "cgishell" or writing a cgi that does an
"os.system('/bin/ls')" sort of call...

If you are allowing your users to install their own CGIs, they already
have these abilities.  If that scares you, you obviously need to do some
work on the security on your system.  ;-)

cgiwrap and appropriate permissions for each user directory are probably
the minimum security steps you want to take.  It depends on what you're
interested in protecting, though...

Sean
-- 
 Windows NT: From the people who brought you 640K and EDLIN
Sean Reifschneider, Inimitably Superfluous <jafo at tummy.com>
tummy.com, ltd. - Linux Consulting since 1995.  Qmail, Python, SysAdmin
      Back off man. I'm a scientist.   http://HackingSociety.org/



More information about the LUG mailing list